Britain’s cyber infrastructure has become inextricably linked to the nation’s economic well being. We work, play, shop, socialise, bank and pay tax online.
What’s more, we communicate by text, voice and video online. In short, we need our cyber infrastructure to be secure.
Cyber security, quite simply, is the set of processes and technologies that allow us to conduct business, commerce and our private lives digitally, while in a safe environment.
The UK market for cyber security is already worth over £17bn – up from £10bn in 2013 – and employs over 100,000 people, an increase of 39% from 2013.
Cyber security has been high on the news agenda – not least during the breach of security around dating website Ashley Madison – and companies overlook the importance of placing it at the heart of their organisations at their peril.
Dr Daniel Prince, associate director and business partnerships manager for Security Lancaster, Lancaster University’s security research centre, places the issues in context thus: “Cyber security is an increasingly important business issue affecting every business.
“The recent Internet Security Breaches Survey, by PWC on behalf of the Department for Business, Innovation and Skills, revealed that all sizes of company are increasingly at risk of an external attack – with 69% of large and 38% of small reporting a breach.
“The cost of those breaches are increasing, and increasing to a point that a single breach could bankrupt a small business.
“Indeed, the report found that the worst incident costs for small businesses ranged between £75,000 and £311,000.”
Research undertaken by Lancaster University has shown that regional picture is similar to the national one, with key regional industries and supply chains most at risk.
These particularly include: energy production; advanced manufacturing; health (especially digital health) and professional services, such as finance.
Dr Prince believes that the Cyber Essentials (Plus) Scheme – which the government has introduced to ensure that businesses maintain a baseline cyber security provision – will drive improvements in protection, especially where it is mandated for companies in critical supply chains.
He says: “But that is only part of the picture. The north west has a significantly growing cyber security industry.
“It is currently a service-based industry supporting the supply chains of those critical industries based in the region, coupled with some outstanding global businesses such as the NCC Group.
“Research work by Lancaster on behalf of UKTI show that the industry is rapidly growing regionally, is incredibly agile and can specialise to support key industries such as, energy production and digital health.
“These could create a truly global export opportunity for the region.
“This cyber security industrial base is supported by a strong research and innovation base through institutions such as Lancaster University as a recognised centre of excellence in cyber security in both research and education.
“Companies are also being encouraged to explore cyber research partnerships with universities through government programmes such as CyberInvest.
“All these ingredients, combined with the lower costs of running a business in the north west when compared to the south, create a fertile ground for our burgeoning cyber security industry, enabling the north west to be the cyber powerhouse of the northern powerhouse.”
The consensus among the experts is that threats to our cyber environments will continue to be many and various for the foreseeable future – and they are evolving on a near-daily basis.
Nonetheless, threats to individual, corporate and government activities online come from three primary sources:
Martyn Kendrick, regional director, SME Banking, North West, Lloyds Banking Group, said the era of e-commerce has made trading goods and services online easier than ever before, but it has also put businesses on the front line against a new kind of criminal who are determined to exploit these technologies for their own ends.
He said: “Whatever the motivation, such attacks are expensive to resolve and can leave a permanent stain of a firm’s reputation, forever compromising trust with its customers and suppliers.
“If customers’ personal data is compromised, the news can quickly go viral on social media.
“In extreme cases, attacks like these can damage a brand so badly it can never recover, so why does it seem some businesses are still not doing enough to identify and address the risks?”
The latest research from HP Enterprise Security shows that the average cyberattack still takes businesses 31 days to resolve, costing on average £11,545 a day – that’s a total £358,796.
And the growing number of high profile attacks have seen insurers hike their premiums for businesses that are perceived to be high risk, like those holding confidential data on their customers.
Kendrick said: “Cybersecurity isn’t just about being prudent. For any firm with online operations it must now be viewed as a fundamental part of their day-to-day activities. It’s incumbent on any modern business to ensure they have the right processes in place and that there is sufficient oversight within the organisation.”
Kendrick said when drawing up a strategy, some of the key questions businesses should be asking themselves are:
“Cyber security must be a company-wide concern,” said Kendrick.
“Building awareness throughout the business, including at board level, is as essential as installing security architecture and programmes.
“This starts with training staff to identify risks and help prevent attacks.
“Seemingly innocuous looking emails can harbour damaging malware designed to infect a system and steal information or spy on users without their knowledge.
“Some companies are also employing ethical hackers to test their systems, simulating sophisticated attacks to test a company’s readiness.
“These ‘poachers turned gamekeepers’ can then help draw up a defence strategy, which many firms find can dramatically improve their chances of resisting an attack.”
HR and employment law advisors ELAS’s head of consultancy, Peter Mooney, agreed that, in recent years, cyber security threats to businesses have become a very real and potentially damaging problem.
Mooney said: “Simple human mistakes, coupled with a lack of security awareness cause many cyber security breaches in the workplace. But not all cyber security breaches derive from unintentional error.
“Some stem from external sources, but some are from company insiders and are both purposeful and malicious, which is much more sinister.
“Insider threats pose myriad legal challenges, including how far companies can go in monitoring internal communications, with the European Court of Human Rights.
“For example, recently ruling that private employee messages may be read by employers under certain circumstances. It is, therefore, vital that employers place emphasis on protecting their confidential information from cyber security threats by implementing robust policies.
“The most effective way in which companies can build an effective policy to reduce cyber security threats is to focus on the legalities surrounding HR, employment law, privacy and employee benefits. Indeed, the Data Protection Act already requires organisations to ‘take appropriate technical and organisational measure’ to protect personal data from unauthorised access, damage, loss or disclosure.
“So companies may believe they already have the necessary infrastructure and compliance in place but should be aware that cyber security is not merely a box-ticking exercise. Cyber security is all about risk, so it is down to businesses as a whole to take responsibility for managing this with an ever-evolving cyber security programme that responds to the changing dynamics that threats to cyber security represent.”
Mooney said that companies should always ensure that new starters are aware of company protocol upon joining that business.
He added: “Additionally, cyber security is all about protecting a company’s confidential information, thereby creating a system that can successfully manage it.
“Effective prevention of cyber security threats requires a grasp of the laws that limit protective activity.
“Non-disclosure agreements can provide businesses with such protection, but they are only as effective as the policies put in place to enforce them.